Enacted

The Slovenian Information Security Act ("ZInfV-1"), implementing the NIS2 Directive, was adopted on 23 May 2025 and has been in force since 19 June 2025.

• The Slovenian Information Security Act ("ZInfV-1") largely aligns with the NIS2 Directive and, in several respects, exceeds its minimum harmonisation requirements.
• Broader entity coverage: ZInfV-1 extends beyond the NIS2 Directive by covering entities of national importance under protection and rescue plans, urban municipalities as local public authorities, and the defense sector, reflecting a broader national approach.
• Self-registration: ZInfV-1 introduces a national self-registration mechanism, requiring obligated entities to register within 30 days of triggering circumstances.
• Security measures and compliance: ZInfV-1 security measures broadly follow the NIS2 Directive but are implemented in a more granular and prescriptive manner at the national level. In particular, ZInfV-1 introduces additional obligations for essential and important entities, including the option to conduct background checks for staff or candidates in roles critical to network and information systems, requirements to establish logging and monitoring procedures to detect and mitigate incidents or near-incidents, and mandatory compliance assessments or self-assessments - depending on the entity’s classification - at least every two years or following a significant incident.
• Enhanced supervision and enforcement: Compared to the general NIS2 framework, ZInfV-1 grants the national competent authority, the Slovenian Government Information Security Office ("URSIV"), more explicit supervisory and enforcement powers, including the imposition of sanctions for misdemeanours.

19 June 2025